5

I know:

  • Secure Boot - can use the TPM
  • Measured Boot - must use the TPM

Can anyone intimately familiar with these processes explain if any TPM owner-authorized commands are required or used in these processes?

Background: I am using a TPM in an enterprise application. I need to own it and certify my own root-of-trust for reporting.

However, out of the box, my TPM chip is owned, I'm assuming for UEFI stuff, as above.

I don't necessarily want to disable secure boots, but I do need ownership of the chip.

I'm hoping if I take ownership I can do what I want to do, and the UEFI and secure boot code can still do what it needs to do, simple key operations, checking signature, etc. without actual ownership.

Anyone know? If I clear the TPM and take ownership, what will happen if the OEM/PC manufacturer already owned it for UEFI?

Wilbur Whateley
  • 588
  • 6
  • 12

1 Answers1

1

From what I can tell in this guide, and I preface this that I'm not an expert in TPMs, taking ownership of a TPM does not affect the Secure Boot options for an operating system.

Taking ownership of a TPM means resetting the keys within the TPM with a new ownership password. In Microsoft Windows at least this means that the TPM is consulted for any administrative privileges that are required.

Secure Boot/UEFI is a separate process that occurs during boot time. It does use keys from the TPM, but they're different from the "ownership keys". The TPM holds several different keys within its hardware to confirm the bootloader, or administrator privileges, etc.

Community
  • 1
RoraΖ
  • 12,317
  • 4
  • 51
  • 83